diff options
| author | Sara Golemon <pollita@php.net> | 2019-07-09 11:18:13 -0400 |
|---|---|---|
| committer | Sara Golemon <pollita@php.net> | 2019-07-09 11:36:48 -0400 |
| commit | f65956e4fb4dc15ba8129e69b13a2cd758e85f46 (patch) | |
| tree | 0e5310f3abf0b7ff2fa3f6825f62c8a4a18621e4 | |
| parent | aa0e29a66838bd89547a5a8ec4ae25945556ad54 (diff) | |
| download | php-git-f65956e4fb4dc15ba8129e69b13a2cd758e85f46.tar.gz | |
Relax argon2 mem_cost down to 64k, bump time_cost to 4
| -rw-r--r-- | ext/sodium/sodium_pwhash.c | 5 | ||||
| -rw-r--r-- | ext/sodium/tests/php_password_hash_argon2i.phpt | 18 | ||||
| -rw-r--r-- | ext/sodium/tests/php_password_hash_argon2id.phpt | 19 | ||||
| -rw-r--r-- | ext/standard/php_password.h | 7 | ||||
| -rw-r--r-- | ext/standard/tests/password/password_needs_rehash_argon2.phpt | 14 |
5 files changed, 28 insertions, 35 deletions
diff --git a/ext/sodium/sodium_pwhash.c b/ext/sodium/sodium_pwhash.c index d615a24ab6..7b7f574e17 100644 --- a/ext/sodium/sodium_pwhash.c +++ b/ext/sodium/sodium_pwhash.c @@ -29,7 +29,6 @@ #if SODIUM_LIBRARY_VERSION_MAJOR > 9 || (SODIUM_LIBRARY_VERSION_MAJOR == 9 && SODIUM_LIBRARY_VERSION_MINOR >= 6) /** - * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values. * MEMLIMIT is normalized to KB even though sodium uses Bytes in order to * present a consistent user-facing API. * @@ -37,8 +36,8 @@ * * When updating these values, synchronize ext/standard/php_password.h values. */ -#define PHP_SODIUM_PWHASH_MEMLIMIT (256 << 10) -#define PHP_SODIUM_PWHASH_OPSLIMIT 3 +#define PHP_SODIUM_PWHASH_MEMLIMIT (64 << 10) +#define PHP_SODIUM_PWHASH_OPSLIMIT 4 #define PHP_SODIUM_PWHASH_THREADS 1 static zend_string *php_sodium_argon2_hash(const zend_string *password, zend_array *options, int alg) { diff --git a/ext/sodium/tests/php_password_hash_argon2i.phpt b/ext/sodium/tests/php_password_hash_argon2i.phpt index 9ce6c7399e..4522e6d175 100644 --- a/ext/sodium/tests/php_password_hash_argon2i.phpt +++ b/ext/sodium/tests/php_password_hash_argon2i.phpt @@ -36,38 +36,38 @@ foreach([1, 2, 4] as $mem) { --EXPECTF-- Argon2 provider: string(%d) "%s" Using password: string(44) "%s" -Hash: string(97) "$argon2i$v=19$m=262144,t=3,p=1$%s$%s" +Hash: string(96) "$argon2i$v=19$m=65536,t=4,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(97) "$argon2i$v=19$m=262144,t=6,p=1$%s$%s" +Hash: string(96) "$argon2i$v=19$m=65536,t=8,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2i$v=19$m=262144,t=12,p=1$%s$%s" +Hash: string(97) "$argon2i$v=19$m=65536,t=16,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(97) "$argon2i$v=19$m=524288,t=3,p=1$%s$%s" +Hash: string(97) "$argon2i$v=19$m=131072,t=4,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(97) "$argon2i$v=19$m=524288,t=6,p=1$%s$%s" +Hash: string(97) "$argon2i$v=19$m=131072,t=8,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2i$v=19$m=524288,t=12,p=1$%s$%s" +Hash: string(98) "$argon2i$v=19$m=131072,t=16,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2i$v=19$m=1048576,t=3,p=1$%s$%s" +Hash: string(97) "$argon2i$v=19$m=262144,t=4,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2i$v=19$m=1048576,t=6,p=1$%s$%s" +Hash: string(97) "$argon2i$v=19$m=262144,t=8,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(99) "$argon2i$v=19$m=1048576,t=12,p=1$%s$%s" +Hash: string(98) "$argon2i$v=19$m=262144,t=16,p=1$%s$%s" bool(true) bool(false) diff --git a/ext/sodium/tests/php_password_hash_argon2id.phpt b/ext/sodium/tests/php_password_hash_argon2id.phpt index e6d4c1ee80..db5145718b 100644 --- a/ext/sodium/tests/php_password_hash_argon2id.phpt +++ b/ext/sodium/tests/php_password_hash_argon2id.phpt @@ -36,38 +36,39 @@ foreach([1, 2, 4] as $mem) { --EXPECTF-- Argon2 provider: string(%d) "%s" Using password: string(44) "%s" -Hash: string(98) "$argon2id$v=19$m=262144,t=3,p=1$%s$%s" +Hash: string(97) "$argon2id$v=19$m=65536,t=4,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2id$v=19$m=262144,t=6,p=1$%s$%s" +Hash: string(97) "$argon2id$v=19$m=65536,t=8,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(99) "$argon2id$v=19$m=262144,t=12,p=1$%s$%s" +Hash: string(98) "$argon2id$v=19$m=65536,t=16,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2id$v=19$m=524288,t=3,p=1$%s$%s" +Hash: string(98) "$argon2id$v=19$m=131072,t=4,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(98) "$argon2id$v=19$m=524288,t=6,p=1$%s$%s" +Hash: string(98) "$argon2id$v=19$m=131072,t=8,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(99) "$argon2id$v=19$m=524288,t=12,p=1$%s$%s" +Hash: string(99) "$argon2id$v=19$m=131072,t=16,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(99) "$argon2id$v=19$m=1048576,t=3,p=1$%s$%s" +Hash: string(98) "$argon2id$v=19$m=262144,t=4,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(99) "$argon2id$v=19$m=1048576,t=6,p=1$%s$%s" +Hash: string(98) "$argon2id$v=19$m=262144,t=8,p=1$%s$%s" bool(true) bool(false) Using password: string(44) "%s" -Hash: string(100) "$argon2id$v=19$m=1048576,t=12,p=1$%s$%s" +Hash: string(99) "$argon2id$v=19$m=262144,t=16,p=1$%s$%s" bool(true) bool(false) + diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h index ce3fdba6bb..97a6bf63a2 100644 --- a/ext/standard/php_password.h +++ b/ext/standard/php_password.h @@ -34,14 +34,11 @@ PHP_MSHUTDOWN_FUNCTION(password); #if HAVE_ARGON2LIB /** - * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values. - * Threads are fixed at 1 by libsodium. - * * When updating these values, synchronize ext/sodium/sodium_pwhash.c values. * Note that libargon expresses memlimit in KB, while libsoidum uses bytes. */ -#define PHP_PASSWORD_ARGON2_MEMORY_COST (256 << 10) -#define PHP_PASSWORD_ARGON2_TIME_COST 3 +#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10) +#define PHP_PASSWORD_ARGON2_TIME_COST 4 #define PHP_PASSWORD_ARGON2_THREADS 1 #endif diff --git a/ext/standard/tests/password/password_needs_rehash_argon2.phpt b/ext/standard/tests/password/password_needs_rehash_argon2.phpt index 9552be1dc9..69588d02ad 100644 --- a/ext/standard/tests/password/password_needs_rehash_argon2.phpt +++ b/ext/standard/tests/password/password_needs_rehash_argon2.phpt @@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2 $hash = password_hash('test', PASSWORD_ARGON2I); var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I)); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); $hash = password_hash('test', PASSWORD_ARGON2ID); var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID)); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4])); -var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); +var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); + echo "OK!"; -?> --EXPECT-- bool(false) bool(true) bool(true) -bool(true) bool(false) bool(true) bool(true) -bool(true) OK! |